Just because something's closed source doesn't mean we can't learn about it. The field of reverse engineering has been around for a long time, and the iPhone and Mac are two of the most studied devices around.
Ultimately you do have to trust your platform if you're going to use a platform authenticator to some degree.
But the alternative in the FIDO2/webauthn space is something like a Yubikey which has no biometrics; it just takes a simple tap. And can be easily removed from your computer. So in that comparison, the fingerprint is purely additive security. Even if it's adding nothing to a serious adversary, it's still dramatically reducing risk to a less-skilled local attacker.
Ultimately you do have to trust your platform if you're going to use a platform authenticator to some degree.
But the alternative in the FIDO2/webauthn space is something like a Yubikey which has no biometrics; it just takes a simple tap. And can be easily removed from your computer. So in that comparison, the fingerprint is purely additive security. Even if it's adding nothing to a serious adversary, it's still dramatically reducing risk to a less-skilled local attacker.